Overview

The objective of this course is to provide extensive hands-on training on Java Application Security. The key highlights of this course are:

• In-depth discussion and hands-on walkthrough of common Web Application vulnerabilities with focus on impact analysis through exploitation.
• Special focus on Java technologies such as Applet Testing, Thick Client Testing including Java implementations of SAML, OAuth etc.
• Introduction and usage of Java Security Frameworks and security libraries.
• Hands-on demonstration on how to avoid and mitigate common Web Application Vulnerabilities for Java applications.

At the end of the program, participants should be able to:

• Perform Penetration Testing of Java based Applications.
• Reproduce vulnerabilities and demonstrate proof-of-Concept exploitation of vulnerabilities.
• Design and architect secure Java based web applications.
• Mitigate vulnerabilities and develop secure coding practices in their SDLC.

Target Audience

• Developers who want to learn secure Java application development.
• Software Testers who want to explore security aspects of application testing.
• Designers and Architects who wants to consider and implement security best practices as a part of architecture and software development life cycle.

Contact Sales

Course Content

---

Note: The list below gives an overview of the topics that we can cover. Actual topic selection will be based on specific requirements and available time frame.

Introduction

• Lab Setup
• Burp Proxy
• Introduction to Web Application Vulnerabilities
• Overview of The OWASP Project

Injection Vulnerabilities

• SQL Injection
• LDAP, XML & OS Command Injection
• Finding and exploiting Injection Vulnerabilities
• Input validation techniques for JavaEE Applications
• Prepared Statements and Stored Procedures

Cross-site Scripting

• Finding and Exploiting XSS in Java Applications
• Output Encoding
• HTTP Security Headers and XSS

Cross-site Request Forgery

• Finding and Exploiting CSRF in Java Applications
• How to implement OWASP CSRFGuard to mitigate CSRF vulnerabilities
• Servlet Filters and CSRF Protection
• Additional Defenses

Authentication

• Authentication Strategies
• Basic/Digest Authentication
• Form based Authentication
• Multi-factor Authentication
• Certificate based Authentication
• OAuth
• SAML
• Using and Enforcing SSL
• Secure Password Storage
• Common Attacks against Authentication Systems
• Implementing Authentication using Spring Security
• Implementing Authentication using Apache Shiro
• Best Practices for implementing Authentication

Authorization

• MAC & RBAC based Access Control
• Insecure Direct Object Reference
• Servlet Filters and CSRF Protection
• Authorization with Spring Security
• Authorization with Apache Shiro

Session Management

• Common Attacks against Session Management
• Session Hijacking Techniques
• Session Fixation
• Clickjacking
• Hardening your Java Application against session related attacks

AJAX and Web Services Testing

• REST / SOAP based Web Service Implementations
• XML Attacks
• XML Injection
• XML Entity Expansion (XXE)
• Testing Web Services using SOAP UI
• Web Services (JAX-RS) Security
• REST Security

File Handling

• Directory Traversal Attacks
• Security guidelines for implementing File Upload and Download
• File upload & Nginx

Client Application Testing

• Reverse Engineering Java Applications
• Thick Client Java Application Testing
• Java Applet Testing
• Flash Content Testing

Framework Security

• Java Security Features
• JSR 303 Validators
• ESAPI Architecture and using ESAPI
• Database and Web Server Security

Secure Software Development Life Cycle

• Threat Modeling for Web Applications (STRIDE, DREAD)
• Tools and Techniques for Static Source Code Analysis
• Top 5 Secure Design Patterns
• Secure SDLC Considerations

Contact Sales